一、前言

tomcat具有某些特性,会对/;//.//..//..;/进行特殊处理,究竟是怎样的机制导致了这些特性,本文通过动态调试tomcat源码来分析url解析过程,解开疑惑

二、环境搭建

  • jdk 8
  • maven 3.6
  • idea 2020.2
  • tomcat 9.0.45

2.1 tomcat

官网下载源码

复制confwebapps至新文件夹catalina-home

添加maven配置文件pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>Tomcat9.0.45</artifactId>
    <name>Tomcat9.0.45</name>
    <version>9.0.45</version>

    <build>
        <finalName>Tomcat9.0.45</finalName>
        <sourceDirectory>java</sourceDirectory>
        <resources>
            <resource>
                <directory>java</directory>
            </resource>
        </resources>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>2.3</version>
                <configuration>
                    <encoding>UTF-8</encoding>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>
        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant</artifactId>
            <version>1.10.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant-apache-log4j</artifactId>
            <version>1.9.5</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant-commons-logging</artifactId>
            <version>1.9.5</version>
        </dependency>
        <dependency>
            <groupId>javax.xml.rpc</groupId>
            <artifactId>javax.xml.rpc-api</artifactId>
            <version>1.1</version>
        </dependency>
        <dependency>
            <groupId>wsdl4j</groupId>
            <artifactId>wsdl4j</artifactId>
            <version>1.6.2</version>
        </dependency>
        <dependency>
            <groupId>org.eclipse.jdt.core.compiler</groupId>
            <artifactId>ecj</artifactId>
            <version>4.6.1</version>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.easymock</groupId>
            <artifactId>easymock</artifactId>
            <version>3.5.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>biz.aQute.bnd</groupId>
            <artifactId>biz.aQute.bndlib</artifactId>
            <version>5.2.0</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>
</project>

./test/trailers文件夹下写入ResponseTrailers.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package trailers;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Supplier;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * This example writes some trailer fields to the HTTP response.
 */
public class ResponseTrailers extends HttpServlet {

    private static final long serialVersionUID = 1L;
    private static final Supplier<Map<String,String>> TRAILER_FIELD_SUPPLIER =
            new TrailerFieldSupplier();


    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
            throws ServletException, IOException {

        resp.setTrailerFields(TRAILER_FIELD_SUPPLIER);
        resp.setContentType("text/plain");
        resp.setCharacterEncoding("UTF-8");

        PrintWriter pw  = resp.getWriter();

        pw.print("This response should include trailer fields.");
    }


    private static class TrailerFieldSupplier implements Supplier<Map<String,String>> {

        private static final Map<String,String> trailerFields = new HashMap<>();

        static {
            trailerFields.put("x-trailer-1", "Trailer value one");
            trailerFields.put("x-trailer-2", "Trailer value two");
        }

        @Override
        public Map<String, String> get() {
            return trailerFields;
        }
    }
}

./test/util文件夹下写入CookieFilter.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package util;

import java.util.Locale;
import java.util.StringTokenizer;

/**
 * Processes a cookie header and attempts to obfuscate any cookie values that
 * represent session IDs from other web applications. Since session cookie names
 * are configurable, as are session ID lengths, this filter is not expected to
 * be 100% effective.
 *
 * It is required that the examples web application is removed in security
 * conscious environments as documented in the Security How-To. This filter is
 * intended to reduce the impact of failing to follow that advice. A failure by
 * this filter to obfuscate a session ID or similar value is not a security
 * vulnerability. In such instances the vulnerability is the failure to remove
 * the examples web application.
 */
public class CookieFilter {

    private static final String OBFUSCATED = "[obfuscated]";

    private CookieFilter() {
        // Hide default constructor
    }

    public static String filter(String cookieHeader, String sessionId) {

        StringBuilder sb = new StringBuilder(cookieHeader.length());

        // Cookie name value pairs are ';' separated.
        // Session IDs don't use ; in the value so don't worry about quoted
        // values that contain ;
        StringTokenizer st = new StringTokenizer(cookieHeader, ";");

        boolean first = true;
        while (st.hasMoreTokens()) {
            if (first) {
                first = false;
            } else {
                sb.append(';');
            }
            sb.append(filterNameValuePair(st.nextToken(), sessionId));
        }


        return sb.toString();
    }

    private static String filterNameValuePair(String input, String sessionId) {
        int i = input.indexOf('=');
        if (i == -1) {
            return input;
        }
        String name = input.substring(0, i);
        String value = input.substring(i + 1, input.length());

        return name + "=" + filter(name, value, sessionId);
    }

    public static String filter(String cookieName, String cookieValue, String sessionId) {
        if (cookieName.toLowerCase(Locale.ENGLISH).contains("jsessionid") &&
                (sessionId == null || !cookieValue.contains(sessionId))) {
            cookieValue = OBFUSCATED;
        }

        return cookieValue;
    }
}

2.2 idea

将项目导入idea,修改Language level为当前jdk版本,并把catalina-home文件夹标记为Sourcestest 文件夹标记为Tests

确保jdk版本与环境一致

添加maven国内镜像

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<mirrors>
    <!-- 阿里云仓库 -->
    <mirror>
        <id>alimaven</id>
        <mirrorOf>central</mirrorOf>
        <name>aliyun maven</name>
        <url>http://maven.aliyun.com/nexus/content/repositories/central/</url>
    </mirror>


    <!-- 中央仓库1 -->
    <mirror>
        <id>repo1</id>
        <mirrorOf>central</mirrorOf>
        <name>Human Readable Name for this Mirror.</name>
        <url>http://repo1.maven.org/maven2/</url>
    </mirror>


    <!-- 中央仓库2 -->
    <mirror>
        <id>repo2</id>
        <mirrorOf>central</mirrorOf>
        <name>Human Readable Name for this Mirror.</name>
        <url>http://repo2.maven.org/maven2/</url>
    </mirror>
</mirrors> 

</settings>

创建项目执行入口

org.apache.catalina.startup.Bootstrap

-Dcatalina.home=catalina-home
-Dcatalina.base=catalina-home
-Djava.endorsed.dirs=catalina-home/endorsed
-Djava.io.tmpdir=catalina-home/temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=catalina-home/conf/logging.properties

修改org/apache/jasper/compiler/JDTCompiler.java内容,有两处

修改org.apache.catalina.startup.ContextConfig 文件的 configureStart()方法,初始化 JSP 解析器的代码

context.addServletContainerInitializer(new JasperInitializer(), null);

配置完成,启动项目,访问tomcat

http://127.0.0.1:8080

三、过程分析

3.1 tomct连接器

tomcat中有connector和container两个核心组件,前者对外处理socket连接,后者对内加载和管理servlet,当用户发起请求时,connector收到请求并调用protocolhandler的processor组件解析应用层协议并生成request对象,adaptor再把生成的request对象传递到container做下一步处理

3.2 调试分析

url解析受位于java/org/apache/catalina/connector/CoyoteAdapterparsePathParameters()normalize()两个函数影响,打下断点,向/123;456/../index.jsp路径发起请求

01 parsePathParameters

进入parsePathParameters函数,先判断url中是否含有;号,不存在时返回-1并且return,存在则向下继续执行代码,此时返回分号编号为4

/ 1 2 3 ; 4 5 6 / .  .  /  i  n  d  e  x  .  j  s  p
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

进入循环,将第二个斜杠后的数据与分号后、斜杠前的pv数据依次做覆盖操作,然后取前17位数得到处理后的数据uriBC,函数结束

/ 1 2 3 / .  .  /  i  n  d  e  x  .  j  s  p  .  j  s  p
0 1 2 3 8 9 10 11 12 13 14 15 16 17 18 19 20
1 2 3 4 5 6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21

02 normalize

进入normalize函数,可以看到对\///.//../四种情况进行处理

  1. 将反斜杠替换为斜杠,\ ==> /

  1. 将双斜杠替换为单斜杠,// ==> /

  1. 去掉/./中的点

  1. /../进行跨目录操作

进入循环,每出现一个/../就向上层目录回溯一次,类似parsePathParameters函数处理分号的逻辑,将/../之后的数据与/../之前的数据做覆盖操作,然后取前10位数的到处理后的uriBC,函数结束

/ 1 2 3 / . . / i n  d  e  x  .  j  s  p
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

/ i n d e x . j s p d e x . j s p 
1 2 3 4 5 6 7 8 9 10

3.3 小结

先parsePathParameters处理分号,再normalize处理斜杠、反斜杠、点

//aaa;bbb/./../  ==> parsePathParameters()  ==> //aaa/./../

//aaa/./../  ==> normalize()  ==> /
    -->  /aaa/./../
    -->  /aaa/../
    -->  /

normalize函数对参数进行了一次decodedURI()操作,所以支持传入url编码后数据,但parsePathParameters函数是直接传入参数,以下地址经过均可访问到主页:

//
/./
/.;/
/aaa/../
/;aaa
/aaa;bbb/../
/aaa;bbb/.././
/aaa/..;./
/aaa;../..;/
/.;/aaa/../
/%2e;/

四、利用场景

4.1 绕过安全设备

某些安全设备存在白名单,对后缀为白名内的请求完全放行,如果服务器使用tomcat作为web容器,则可能存在安全设备绕过风险,如:

  1. 攻击者向服务器/sql_vuln/id=1+and+1=1;favicon.ico发起请求
  2. 安全设备收到请求,发现到后缀为ico,在白名单内不做检测并放行
  3. 服务器收到请求后对url解析,得到/sql_vuln/id=1+and+1=1
  4. 绕过安全设备,成功注入

4.2 绕过访问限制

当后端服务器通过用户当前请求路径来判断权限时,可能存在绕过风险,如:

  1. 攻击者使用a账户访问admin文件路径,/;/admin/aaa/../admin
  2. 服务器通过路径来判断当前用户是否具备admin文件访问权限,此时HttpServletRequest.getRequestURI()取得的值是原生地址:即/;/admin,判断不等于/admin,可以访问
  3. tomcat对url解析,最终值为/admin,攻击者便成功访问/admin文件

案例:

  • Shiro < v1.5.2 身份认证绕过(CVE-2020-1957)
  • Shiro < v1.5.3 身份认证绕过(CVE-2020-11989)
  • Shiro < v1.6.0 身份认证绕过(CVE-2020-13933)

五、参考

点击收藏 | 3 关注 | 2
  • 动动手指,沙发就是你的了!
登录 后跟帖